Re: what should I do when....

["Dan Anderson" <dan-anderson () cox net>]

On Tue, Jul 15, 2008 at 1:03 PM, Adriel Desautels <adriel () netragard com> wrote:
> Ansgar,
>        I almost feel like you are trying to create an argument just for the
> sake of creating an argument.

I've been watching this thread with some amusement for almost 2
weeks...It seems to me that you _both_ are to the point where you
continue with this discussion just to hear yourselves talk.

1.  Adriel - I know what you are saying - I hear "My network is secure
- we have a firewall" all too often too - it's wrong to think that, we
all know that a firewall is not a magic security cure-all - mitigating
all attack vectors.  Properly configured and maintained firewalls can
certainly make networks more secure, but holistic security requires a
risk based approach. IDS/IPS is not a magic cure-all either; security
is a big arena and can only be measured in terms of being more or less
secure - there are no cure-alls there is only "best practices" and
due-care/due-diligence efforts (of which having a firewall is part).
2.  The stated issue here was something about seeing scanning activity
in firewall logs (which is normal - the Internet is a threat rich
environment) a properly configured and maintained firewall is an
appropriate device to mitigate this threat to some degree.  IDS/IPS
could give you more information/protection from the portion of the
scan that is not being blocked by the firewall.
3.  A firewall is indeed a "security device" - there are lots of
threats, and lots of "security devices" to counter those threats - a
brick is a "security device" when properly assembled (along with some
friends) into 6 walls.
4.  (Warning: Another bad analogy approaches) Continuing to rail
against firewalls is like saying diodes are useless because they are
not microprocessors.

If the OP still cares - Adriel's advice from the 8th was good
(paraphrased with my 2 cents thrown in):
1.  If it really bothers you and you are really sure that you don't
care if legitimate traffic from the other network gets blocked then
you can block them in your firewall - In my experience there is very
little point to doing this though (you'll have to do another IP
tomorrow, and another the day after, etc - good for job security, but
really not much point otherwise and it makes a management nightmare
(tracking and managing 10,000 blocked IPs, dealing with complaints
from Canadians who can no longer go to your site, etc)).
2.  You can send the logs to the abuse@ address for the company and
network provider - again, not much payoff, if you're lucky they might
look into it...It will probably turn out to be someone with a virus or
part of a botnet - you can feel good that you have helped shutdown
0.0...01% of this sort of activity.  Again, basically pointless.
3.  If scanning activity does bother you that much you probably should
re-evaluate your security infrastructure.  When I worry about
something it generally turns out to be well-founded.

Dan